Cybersecurity Awareness – Identity Theft (Part 2)

It’s been a few months since the Part 1 article on identity theft awareness. National Cyber Security Awareness Month in October and National Data Privacy Day on January 28th are both behind us. However, the need to be safe in cyber space is an ongoing process. In the previous article on Identity Theft, we covered four types – (1) stolen debit/credit cards for financial gain by stealing money from the victim, (2) criminal ID theft for committing crimes in the victim’s name, (3) medical ID theft for treatment, supplies or services in the victim’s name, and (4) child ID theft for misrepresentation to acquire money or jobs. We also covered some physical security methods to help protect your personal information. Another earlier article on cybersecurity awareness covered some general actions to take in protecting your computer at home, which also help prevent Identity Theft, so that won’t be repeated here. In this article, we will start where we left off with physical security steps and cover some other basic steps you can take to protect your information in cyber space.

Keep in mind that many cyber criminals gather information from several different sources in order to learn as much about a person’s identity as possible, so you need to protect the different places your information may be stored or used. Also remember that even if you do not actively use the internet for online purchases, financial transactions or medical purposes, there are probably many companies that have your personal information in online databases because you have done business with them. You have probably seen the news about major data breaches in 2014 at stores such as Target, The Home Depot, and Neiman Marcus, and also at JPMorgan Chase bank. You can’t stop those breaches, but you can limit some of the possible impact to yourself by the way you protect your identity across multiple businesses, so the cyber criminals can’t use your information from one location to access your accounts or information at other locations.

After the physical security steps from the previous ID Theft article, there are several basic steps you can take to help protect your digital information, both at home and what is stored online. One thing the cyber criminals are trying to get are user account credentials (a user name and password). So, one of the first steps you can take to guard your information is use different user names and passwords for each online account you have. In some cases, companies require your email address and use that as the user name for login, so you might feel limited on changing it. However, you can get free email accounts from several sources, and you can create separate accounts for specific online services. This step may be too complex and cumbersome for most people, because you would have to keep track of which email account is used with which online service (and its related password). Most people will simply use their primary, personal email account when needed. For those online services which allow you to create your own user name, you should actually create a specific user name for that service and, of course, keep track of that information.

More importantly, especially when having to use your email account as the user name for several different online services, you need to create separate passwords for each online account. If you don’t, once a cyber criminal steals user names and passwords from one company’s database, they will try to use that information on many other online sites until they find another place where it gives them access to that person’s online account, and so on. Passwords should be “long and strong,” meaning they should contain at least eight characters (having more will make it harder for criminals to crack them) and they should use a combination of lower-case letters, upper-case letters, numbers, and special characters (usually the ones on the keyboard above the numbers, by using the shift-key). For instance, “password” is weak, “Pa$$woRD” is better but still weak, and “p@$5W0rD%” is stronger (just as an example). You should not create passwords which contain your first or last name, names of family members or pets or any common dictionary words. You can also create a password from a phrase or your favorite song lyrics – for example, a password might be “MhAlLWfWwAs” which doesn’t have any numbers or special characters, and it came from “Mary had a little lamb whose fleece was white as snow” (taking the first letter of each word). Lastly, you should change your passwords on a regular basis, at least every six months or more often.

Keep your passwords in a secure place, never leave them out in the open (such as on a notepad) and don’t share them with anyone else. If you create a file on your computer to save your passwords, do not name the file anything that relates to “password” or something similar, where cyber criminals would look if they hacked into your computer. Also, you should encrypt such a file (using a unique password with 12 to 16 characters), so that if it is stolen, it can’t be opened easily. Instead of creating and updating your own password file, you might want to use a password manager, which is a software program, that can be used either from your local computer or from the Internet. The online password managers are regular targets for cyber criminals and most cybersecurity experts recommend against using them, in favor of using a password program on your local computer.

Now, let’s move on to some other security steps you should take to prevent identity theft. Most of us get email messages from our banks and credit card companies, and they usually provide an “easy” link to their website, so you can check your balance or make a payment. Many people click on those links to do just that; however, I recommend that you do not use the email link. Tens of thousands of fraudulent “phishing” email messages are sent each week, looking exactly like they came from your financial institution – because the criminals simply copied all the logos and other information from the original site. They may have even been able to obtain the last four digits of your credit card number, so now it really looks legitimate, including the website that you are taken to when you clicked on the link. So, you enter your user name and password, then you are asked to verify your full account number (which you provide), and you get some sort of message that says “the website is not currently available, try again later” (or something similar). Now the criminals have everything they need to not only take all the available funds from that account, but also to open new credit card accounts which will be charged to you. The point of this scenario is, don’t click on email links – you should go to your web browser and manually type in the correct address, then bookmark it (add it to Favorites), so you can come back to it later. That way, you know you are going to the correct website and you should be able to perform whatever transactions are necessary. In a similar fashion, if you get a phone call from someone saying they are from your bank or credit card company, never give them personal or account information. You should initiate the phone call to your bank or the toll-free number for your credit card, and they will ask you to confirm some identifying information to ensure it’s you – in this case, you made the call and should know with whom you are speaking.

As mentioned in the prior article, checking your credit report on a regular basis is another way to help find out if you might be a victim of identity theft. You should also be checking and verifying your monthly bank account statement and all credit card statements, looking for any unusual activity or any transactions you didn’t make. Contact the institution immediately, if you find errors or suspicious activity. Consider setting up your online account with email or cell phone alerts for account activity that would be unusual (e.g., large withdrawals or transfers). Read the privacy statements and information disclosure options for your online financial sites, to see what information they collect, how they use it, and what rights you have to tell them not to share your information with other companies (and often for cross-sales within the company). It’s best for you to control who has your information, as much as possible.

As stated in the previous articles, if you think you have been a victim of a cybercrime, whether it’s identity theft or something else, contact your local law enforcement agency, or businesses can file an online complaint with the Internet Crime Complaint Center (www.ic3.gov). In the San Diego region, local, state, and federal law enforcement agencies are linked together through the regional Computer And Technology Crime High-tech (CATCH) Response Team (www.catchteam.org) and cybercrime cases are actively pursued. The San Diego region is also fortunate to be home of the nationally recognized Identity Theft Resource Center (www.idtheftcenter.org), as well as Securing Our eCity Foundation (securingourecity.org), a non-profit organization with public-sector and private-sector participation, whose purpose is to help educate the public and small/medium businesses in cybersecurity awareness.

This blog was written by Alan Watkins, Adjunct Professor at National University.